Databricks Community

bricksdata · ‎02-08-2023

Problem

I'm unable to authenticate against the https://accounts.cloud.databricks.com endpoint even though I'm an account admin. I need it to assign account level groups to workspaces via the workspace assignment api (https://api-docs.databricks.com/rest/latest/permission-assignment-account-api.html) which is recommended by Databricks.

Our Databricks instance is deployed to AWS.

What's been tried

Create PAT token
Test that I can authenticate against workspace endpoints
Test workspace assignment endpoint with unauthorised error
Calling Groups account endpoint with unauthorised error

Code

def list_account_groups():
    """Note: Requires Account admin PAT token to list all account groups"""
    api_version = '/api/2.0'
    api_command = "/scim/v2/Groups"
    url = f"https://accounts.cloud.databricks.com{api_version}/accounts/{ACCOUNT_ID}{api_command}"
 
    header = {
        "accept": "application/scim+json",
        "Authorization": f"Bearer {DATABRICKS_TOKEN}"
    }
    
    response = requests.get(url, headers=header)
    print(response.status_code)
    print(json.dumps(json.loads(response.text), indent = 2))

Response:

401
{
  "message": "Cannot complete request; user is unauthenticated"
}

Anonymous · ‎04-09-2023

@lasse l :

It seems like the authentication token you are using is not authorized to access the Account API endpoint. The fact that you are able to authenticate against workspace endpoints using the same token suggests that the issue is specific to the Account API.

Here are a few steps you can try to troubleshoot the issue:

Make sure that your PAT token has the appropriate permissions to access the Account API. You can check this by going to the Databricks web interface and navigating to the "User Settings" > "Tokens" page. Check that the token has the "Manage" permission for the "Account Management API".
Check that the ACCOUNT_ID variable is set to the correct account ID. You can find this ID in the Databricks web interface by going to the "Admin Console" > "Account Settings" page.
Check that you are using the correct endpoint URL. The URL you are using in your code is correct for the public cloud instance of Databricks, but if you are using a Databricks deployment on a different cloud provider, the URL may be different. You can find the correct endpoint URL in the Databricks documentation for your cloud provider.
Check that the account admin role is correctly assigned to your user account. You can check this by going to the Databricks web interface and navigating to the "Admin Console" > "User Management" page. Check that your user account has the "Account Admin" role assigned to it.

Hope this helps!

surojit88 · ‎09-04-2023

"Check that the token has the "Manage" permission for the "Account Management API"

Can you elaborate how to do the above from the workspace UI?

Anonymous · ‎04-10-2023

Hi @lasse l

Thank you for posting your question in our community! We are happy to assist you.

To help us provide you with the most accurate information, could you please take a moment to review the responses and select the one that best answers your question?

This will also help other community members who may have similar questions in the future. Thank you for your participation and let us know if you need any further assistance!

137292 · ‎07-12-2024

From this doc: To automate Databricks account-level functionality, you cannot use Databricks personal access tokens. Instead, you must use either OAuth tokens for Databricks account admin users or service principals. For more information, see:

Databricks Community

Unable to authenticate against https://accounts.cloud.databricks.com as an account admin.

Join Us as a Local Community Builder!

Data + AI Summit 2025 — registration now open!

Unlocking Next-Gen Customer Experiences with Data Intelligence for Marketing

Deep Dive: How Row-level Concurrency Works Out of the Box

2025 DLT Update: Intelligent, fully governed data pipelines